feat: Allow ACR authentication using Azure CLI

[xescab]

Install azure-cli in Docker image in order to use the az acr login command.

Can be used with Azure Managed Identities with the following script:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-image-updater-config
  namespace: argocd
data:
  log.level: debug
  registries.conf: |
    registries:
    - name: acrexample
      api_url: https://acrexample.azurecr.io/
      prefix: acrexample.azurecr.io
      ping: yes
      insecure: no
      credentials: ext:/app/scripts/acr-login.sh
      credsexpire: 10h
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-image-updater-config-acr
  namespace: argocd
data:
  acr-login.sh: |
    #!/bin/sh
    LOGIN=$(az login --identity)
    REGISTRY="acrexample"
    TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken)
    echo "00000000-0000-0000-0000-000000000000:$TOKEN"

Closes #550 and #473

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 67.98%. Comparing base (2bf4b0a) to head (cd76581).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #586   +/-   ##
=======================================
  Coverage   67.98%   67.98%           
=======================================
  Files          31       31           
  Lines        3124     3124           
=======================================
  Hits         2124     2124           
  Misses        856      856           
  Partials      144      144           

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[jannfis]

Awesome! Do you mind adding some pieces of examples to the docs as well?

[xescab]

Awesome! Do you mind adding some pieces of examples to the docs as well?

Sure, I've added a new section to the https://github.com/argoproj-labs/argocd-image-updater/blob/master/docs/configuration/registries.md documentation. Do you think is it clear enough, or should add all the patches required? Where?

Thanks!

[xescab]

By the way, how can I fix the GitHub Actions / Spell checking errors? Basically I see I need to add some words to a dictionary, but I don't know how. Thanks!

[jwhy89]

Waiting on this also 🙏🏼

[jwhy89]

By the way, how can I fix the GitHub Actions / Spell checking errors? Basically I see I need to add some words to a dictionary, but I don't know how. Thanks!

I think you can add words to the .github/actions/spelling/allow.txt file.

[jwhy89]

@xescab https://github.com/xescab/argocd-image-updater/pull/1

[jannfis]

Sorry for the late reply. The suggestion from @jwhy89 is correct. The spell checking is non-critical though, but the DCO actually is. Can you please ensure that your commits are all signed off to satisfy the DCO requirement? Thank you!

[Retoxx-dev]

Hi, where are we with this? It'd be great to have that ACR feature.

[xescab]

@xescab xescab#1

Thanks @jwhy89! I've integrated your changes into my last commit, as I had to re-commit the other changes to sign the commits for the DCO requirement.

[xescab]

Sorry for the late reply. The suggestion from @jwhy89 is correct. The spell checking is non-critical though, but the DCO actually is. Can you please ensure that your commits are all signed off to satisfy the DCO requirement? Thank you!

Hi, I'm back from vacation. Thanks for looking into this. Just signed the previous commits. Please let me know if something else is missing.

[jwhy89]

Sorry for the late reply. The suggestion from @jwhy89 is correct. The spell checking is non-critical though, but the DCO actually is. Can you please ensure that your commits are all signed off to satisfy the DCO requirement? Thank you!

Hi, I'm back from vacation. Thanks for looking into this. Just signed the previous commits. Please let me know if something else is missing.

Your DCO is still failing and there's a test that needs to be fixed. You can merge my branch into yours. Then probably fix the DCO again. https://github.com/xescab/argocd-image-updater/pull/2

[xescab]

All checks pass now! :)

Can someone review it again and hopefully approve it? Thanks!

[xescab]

@jannfis, can you take a look?

[xescab]

What can I do to get this merged? :)

[xescab]

@jannfis, can you take a look?

Any news?

[etiennetremel]

@jannfis seems like you are the only maintainer, any chance you could review these changes?

[etiennetremel]

Playing around with it again, that might not be a good idea to include the entire Azure CLI in the Dockerfile.

[!WARNING] The size of the end image with Azure CLI is really big: 2.62Gb. Original image is 281Mb...

There should be a better way to retrieve the ACR token using the rest API Azure provide, but I couldn't figure out how to adjust the steps defined here.

In the meantime, I have merged this PR into the main branch in my own repo and published a publicly available Docker container on ghcr.io with some instructions to get it working with Azure Workload Identity:

https://github.com/etiennetremel/argocd-image-updater

[chengfang]

What's the size of the end image with only the necessary azure-cli components?

Looking at azure-cli install guide: https://github.com/Azure/azure-cli/issues/19591, there are some tricks to reduce the size such as deleting pycache afterwards, and selecting only the latest version of azure mgmt packages. Would these help in our case?